ci: Adapt publish.yaml to use npm's trusted publishing

- Add comment to clarify id-token: write permission
- Remove obsolete usage of NPM auth token
- Add npm scope and move up pnpm setup in publish workflow
  - Authentication via OIDC for NPM's trusted publishing may need to explicitly define
    scope if it doesn't match the repository owner.
    This is the case here because the repository owner is eclipsesource.
  - Move pnpm setup before node setup to avoid pnpm overriding .npmrc changes
    done by node setup for trusted publishing
- Add always-auth option to node setup to force auth after pnpm setup

Author: lucas-koehler

.github/workflows/publish.yaml

@@ -24,7 +24,7 @@ jobs:
   publish:
     permissions:
       contents: 'write'
-      id-token: 'write'
+      id-token: 'write' # Required for npm OIDC
     runs-on: 'ubuntu-latest'
     steps:
       - uses: 'actions/checkout@v4'
@@ -36,18 +36,20 @@ jobs:
           git config user.name "jsonforms-publish[bot]"
           git config user.email "[email protected]"
 
-      - name: 'Setup node'
-        uses: 'actions/setup-node@v4'
-        with:
-          node-version: '22'
-          registry-url: 'https://registry.npmjs.org'
-
       - uses: pnpm/action-setup@a7487c7e89a18df4991f7f222e4898a00d66ddda # v4.1.0
         name: Install pnpm
         id: pnpm-install
         with:
           run_install: false
 
+      - name: 'Setup node'
+        uses: 'actions/setup-node@v4'
+        with:
+          node-version: '22'
+          registry-url: 'https://registry.npmjs.org'
+          scope: '@jsonforms' # ensure OIDC token is tied to the scope
+          always-auth: true
+
       - name: 'Install Packages'
         run: 'pnpm i --frozen-lockfile'
 
@@ -87,5 +89,4 @@ jobs:
         if: github.event.inputs.skip_publish == 'false'
         run: "pnpm publish --recursive ${{  github.event.inputs.stable_release == 'true' && ' ' || '--tag next' }}"
         env:
-          NODE_AUTH_TOKEN: '${{ secrets.NPM_TOKEN }}'
           NPM_CONFIG_PROVENANCE: 'true'